IBM BS029ML - WebSphere Portal Server Self Help Manual page 144

If you have trouble finding either users or groups, use an LDAP tool to verify that the settings
in the WMM configuration is correct. When WMM issues search requests to the LDAP server,
it generates the search filter to use the parameters "wmmSecurityAttributeName",
"objectClassForRead", and "SearchFilter" in wmm.xml.
For example, assume that you search on "john*" on attribute "uid", and have the WMM
configuration shown in Example 4-19.
Example 4-19 WMM LDAP entry configuration
<supportedLdapEntryTypes>
<supportedLdapEntryType name="Person"
<supportedLdapEntryType name="Group"
......
</supportedLdapEntryTypes>
The search filter sent to the LDAP by WMM would look like
(&(uid=john*)(objectclass=inetorgperson)) with a search base of
"ou=people,ou=dept,o=acme.com".
Using an LDAP utility such as ldapsearch, we issue the following command to verify the same
configuration:
ldapsearch -h corpldap.acme.com -p 389 -b "ou=people,ou=dept,o=acme.com" -D
<bindDN> -w <password> "(&(uid=john*)(objectclass=inetorgperson))"
where <bindDN> is the bind user used in WMM configuration, and <password> is the
password for the bind user.
If you are able to search for users or groups by attributes, but there is a problem of finding
their membership information, such as a failure to find the groups a user belongs to, or the
users in a group, then the problem likely resides in the configuration of group to member
relationships. The first step is to check the user to group membership mapping.
Without realm support, you should check the setting in "group member ID map" of the
advanced LDAP configuration in WebSphere Application Server global security. There are
two ways to specify the user to group relationship in the field:
Multiple "objectclass:property" pairs separated by semicolons. In an objectclass:property
pair, the object class value is the same object class that is defined in the group filter, and
the property is the member attribute. The examples are
"groupOfUniqueNames:uniqueMember" and "groupOfNames:member". Note that
"uniqueMember" always goes with "groupOfUniqueNames", and "member" with
"groupOfNames". Never mix them.
Multiple "group attribute:member attribute" pairs separated by semicolons. For some
LDAP servers, such as IBM Tivoli Directory Server and Microsoft Active Directory, a user
entry is automatically assigned an implicit "group attribute" in which all groups the user
belongs to would be stored. Its purpose is to improve performance when you search the
groups of a user. Without such an attribute, the search has to exhaust all the groups within
130
IBM WebSphere Portal V6 Self Help Guide
rdnAttrTypes="uid"
objectClassesForRead="inetOrgPerson"
objectClassesForWrite="inetOrgPerson"
searchBases="ou=people,ou=dept,o=acme.com"/>
rdnAttrTypes="cn"
objectClassesForRead="groupOfUniqueNames"
objectClassesForWrite="groupOfUniqueNames"
searchBases="ou=groups,ou=dept,o=acme.com"/>